1. Field of the Invention
The subject invention relates to secure electronic communication over an insecure communication channel. More specifically, the subject invention relates to systems and methods that can assure a user that two specific devices have exchanged information correctly over an insecure communication channel, even if the two devices did not share a secret or a common root of trust beforehand.
2. Related Art
Mobile devices proliferate and increasingly users need to transmit information between mobile devices and other devices in an ad hoc fashion. Generally the transmission is performed over an efficient in-hand channel such as a wired or wireless connection (WiFi, Bluetooth, etc.).
However, in order to prevent inadvertent information leakage, eavesdropping, and fraud, users must assure that the two given devices communicate with each other (the devices pair with each other) and do so securely. This is difficult to achieve if the devices do not share a secret or a common root of trust prior to the pairing. This would be typical on a random first encounter or if the storage capacity of a device is insufficient to retain current security associations with all other devices with which it has to pair. Conversely, having to exchange a common root of trust a priori undermines the basic premise of services such as free WiFi access points. The driver behind the proliferation of free WiFi is easy connectivity without prior knowledge of the characteristics of the WiFi access point.
Secure communication in such situations may be achieved through known anonymous key exchange protocols, which, without additional safeguards, are vulnerable to fraudulent activities, such as man-in-the-middle attacks. In man-in-the-middle attack, both devices exchange cryptographic keys with an adversary rather than with each other. This results in two separate secure connections, one between the first device and the adversary and another connection between the adversary and the target device. By relaying between the two devices, the adversary learns the entire communication between the two devices.
While the invention is applicable to any type of communication between two devices, The WiFi environment may be used to explain the various problems involved and highlight the benefit of the proposed solution. As wireless technology proliferates there is a growing concern about fraud and phishing attacks based on so-called “evil twin” wireless access points. The evil twin is deployed and controlled by a malicious adversary and mimics a genuine access point. Public places, like cafes or airport terminals, are particularly susceptible to this form of attack. Unsuspecting users who bind to the evil twin compromise their network communications: their login information and passwords can be stolen, or their browsers redirected to look-alike phishing websites and download pages containing malware.
Typically, evil twins have similar names to legitimate hotspots, including names that fit with the location. That many hotspot owners use generic names for their hotspots, like “hotspot” or the name of the service provider, exacerbates this problem. Particularly susceptible are the many laptops, and other wireless devices, configured to automatically connect to an access point that has the same name as one it previously used, or to the access point with the strongest signal. The ease with which an evil twin can be set up has been demonstrated using, for example, Airsnarf, a wireless access point setup utility designed to demonstrate how rogue access point can steal usernames and passwords from public wireless hotspots.
Since evil twins provide gateway services and DNS settings to connecting clients, hackers gain full control over the clients' network communications. For instance, the evil twin may map the authentic domain name of a banking website to the IP number of a phishing website. This undermines a major trust indicator for the user: the URL displayed in the user's browser, i.e., while the user sees the proper URL in its browser, the address has been hijacked and the user is actually connected to a phishing website. Additional tools, such as Ettercap, come with extensive support for man-in-the-middle attacks on unencrypted, and even encrypted, communications by generating fake certificates, for example. However, detection of intrusions or attacks is still difficult for users because the access point to which a user's device binds does not identify itself in a fashion that can be verified reliably by the user. Without cables, an important implicit ingredient of traditional security policies is missing: the assurance that the user's device is connected to a specific physical endpoint. Instead, wireless devices establish virtual endpoints through advertisement and discovery.
The evil twin problem is closely related to the general problem of pairing two wireless devices, which has attracted a significant amount of research. Standards are drafted that specify alternative security mechanisms for WiFi and Bluetooth. These standards prescribe mechanisms that involve the user in the secure setup of security associations between devices. Three principle mechanisms can be distinguished:    1. The user manually enters a code into both devices    2. One device displays a code, the user enters it into the second device    3. Both devices display a code, the user verifies them for equality.
The choice of mechanism depends on the combination of user interface types supported by the pairing devices.
Several authors have suggested means to facilitate the comparison of codes by rendering them on both devices as human-readable words, speech, flag-like symbols, or random art. These mechanisms can work well if the devices support appropriate user interfaces, but become difficult to apply if these user interfaces are limited
A second (complementary) approach to improve the usability of the comparison task is to trade the length of the code against the attained level of security and the probability of a successful attack. Several authors suggested mechanisms based on this principle. A common realistic assumption is that if the user compares a value with n bits then the adversary should have to perform in the order of 2n units of work in order to break a session of the mechanism with certainty. The cited mechanisms have this property and the prior art suggests that this result is optimal.
For further relevant information, the reader is encouraged to review: Dirk Balfanz, D. K. Smetters, Paul Stewart, and H. Chi Wong, Talking to strangers: Authentication in ad-hoc wireless networks, In Proceedings of Network and Distributed System Security Symposium 2002 (NDSS'02). San Diego, Calif., February 2002; Steve Dohrmann and Carl Ellison, Public-key Support for Collaborative Groups, In Proc. 1st Annual PKI Research workshop, pages 139-148, Gaithersburg. Md., USA. April 2002, National Institute for Standards and Technology; Michael T. Goodrich, Michael Sirivianos, John Soils, Gene Tsudik, and Ersin Uzun, Loud And Clear: Human Verifiable Authentication Based on Audio, in Proc. 26th International Conference on Distributed Computing Systems IEEE, July 2006; N. Heller, C. Metz, P. Nesser, and M. Straw, A One-time Password System, Internet Request for Comments 2289, Internet Engineering Task Force, February 1998; Jonathan M. McCune, Adrian Perrig, and Michael K. Reiter, Seeing-Is-Believing: Using Camera Phones for Human-veritable Authentication, in IEEE Symposium on Security and Privacy, pages 110-124, 2005; Jun Rekimoto, Yuji Ayatsuka, and Michimune Kohno, SyncTap: An Interaction Technique for Mobile Networking, in L. Chittaro, editor, Human-computer interaction with mobile devices and services (Mobile HCI 2003), number 2795 in Lecture Notes in Computer Science, pages 104-115, Springer Verlag, 2003; Nitesh Saxena, Jan-Erik Ekberg, Kari Kostiainen, and N. Asokan, Secure Device Pairing Based on a Visual Channel, in IEEE Symposium on Security and Privacy, May 2006; F. Stajano and R. J. Anderson, The Resurrecting Duckling: Security Issues for ad-hoc Wireless Networks; in Proc. 7th International Security Protocols Workshop, pages 172-194, 1999; M. Cagalj, S. Capkun, and J. P. Hubaux, Key Agreement in Peer-to-peer Wireless Networks, Proceeding of the IEEE, 94(2):467-478, February 2006.